No tokens in OpenClaw log files
What this checks
Scans OpenClaw log files for accidentally logged credentials.
Why it matters
Tokens in log files persist on disk and may be exposed through log aggregation or shared access.
How to fix it
Step 1 Find out which log files contain credentials. Check the finding detail:
openclaw security audit --json | jq '.findings[] | select(.checkId=="security.secrets.tokens_in_logs") | .detail'Step 2 Enable log redaction. Add the following to your OpenClaw config to redact sensitive fields before they are written to log files:
logging:
redact:
enabled: true
fields:
- authorization
- x-api-key
- token
- password
- secretStep 3 Rotate exposed credentials. Any token that appeared in log files should be treated as potentially compromised. Revoke and reissue it in the relevant service dashboard.
Step 4 Clear old log files that contain the exposed values:
# Find log location
openclaw config path
# Then truncate or remove the logs directory (OpenClaw will recreate it)
rm ~/.openclaw/logs/*.logStep 5 Restart and verify: openclaw gateway restart, then re-run the audit to confirm the finding is gone.
Technical details
| Field | Value |
|---|---|
| Control ID | NC-AUTH-003 |
| Domain | AUTH |
| Severity | High |
| Status | Experimental |
| Data source | log_scan |
| Source type | derived |
| Mode | Mode 1 (OpenClaw native) |
| Introduced in | Library v0.1.0 |
| OWASP LLM 2025 | LLM02: Sensitive Information Disclosure |
False positive notes
May match non-token strings in logs. Higher false-positive risk than authoritative checks.
Suppress this finding
If this finding is intentional or not applicable to your setup, you can exclude it:
clawvitals exclude NC-AUTH-003 reason "your reason here"Exclusions are auditable and expire automatically. See the exclusions guide.